AUTHOR: Kelledin
DATE: 2003-09-06
LICENSE: GNU Free Documentation License
SYNOPSIS: Adding ACL support to your LFS
DESCRIPTION:
ACLs (Access Control Lists) are a means of fine-grained control of filesystem
access permissions. These are useful not just for extending local filesystem
security on your Linux system, but also for serving Windows clients via samba.
PREREQUISITES: LFS-CVS-20030906 or later, kernel 2.4.21
HINT:
1. Background Information
------------------------------------------------------------------------------
Access Control Lists (ACLs) are a means of providing fine-grained per-user
access control for files and directories. The traditional UNIX method of
access control divides users into three categories: file owner, group members,
and everyone else. Access control via POSIX ACLs can be achieved on an
individual user basis, effectively superseding the traditional UNIX access
control.
ACLs depend on Extended Attributes (EA) functionality, a means for certain
arbitrary pieces of metadata to be associated with files and directories.
Currently ACLs are the only major use of EAs in Linux.
Currently, Linux can support POSIX ACLs in ext2/3 and SGI's XFS. ReiserFS,
however, will probably not get ACL support until Reiser4 (which is currently
experimental).
As far as networked filesystems go, samba servers can support ACLs when
working with Windows-based clients, but not Linux/UNIX-type clients. Cross-
platform NFS support is even more tricky with ACLs. Patches to extend the
current NFSv3 implementation are available from http://acl.bestbits.at/ ;
however, they are not covered here, and the full extent of their ACL support
is unknown.
2. Caveats
------------------------------------------------------------------------------
It should be noted that some versions of ACL support don't play nice with
quota support in ext3. You will likely have frequent lockups if you try to
use both at the same time.
It should also be noted that if you're using fileutils instead of the newer
coreutils, an ACL-enabled fileutils has a few quirks that break some shell
scripts. This is because "ls -l" from an ACL-enabled fileutils will mark each
ACL-enabled entry with a "+" sign trailing after the traditional permissions
bits. In short, instead of this:
-rw-r--r-- 1 root root 27173 Jun 12 02:41 filename
"ls -l" will print this instead:
-rw-r--r--+ 1 root root 27173 Jun 12 02:41 filename
Any shell script that parses the output of "ls -l" for itself is liable to not
expect that "+" sign.
coreutils-5.0 does not add this extra "+" sign.
3. Download
------------------------------------------------------------------------------
In order to get ACL/EAs working, you will first need kernel patches. You
should try to make this work with a recent (2.4.18+) kernel. This hint
recommends and assumes that you use a reasonably vanilla 2.4.21 kernel.
If you plan to use ACLs with ext2/3, you need the following patch:
http://acl.bestbits.at/current/diff/ea+acl+nfsacl-2.4.21-0.8.60.diff.gz
If you plan to use ACLs with SGI XFS, you need the patches from:
ftp://oss.sgi.com/projects/xfs/Release-1.3.1/kernel_patches/ \
linux-2.4.21-core-xfs-1.3.1.patch.gz
ftp://oss.sgi.com/projects/xfs/Release-1.3.1/kernel_patches/ \
linux-xfs-1.3.1.patch.gz
It should be noted that as of Dec 8 2003, SGI XFS is integrated with the
vanilla Linux kernel. 2.4.24 should come with XFS support when it is released,
so the above XFS patches will likely be unnecessary.
You will also need userland libraries and utilities. Thanks to the recent
ACL/EA syscall reservations, both XFS and ext2/3 ACLs are served by the same
packages. However, the packages hosted at http://acl.bestbits.at are very
outdated. It is recommended that you retrieve the packages from the SGI
FTP server:
ftp://oss.sgi.com/projects/xfs/cmd_tars/attr-2.4.12.src.tar.gz
ftp://oss.sgi.com/projects/xfs/cmd_tars/acl-2.2.21.src.tar.gz
You should also compile a version of coreutils that works with ACLs, so that
you don't lose ACL information with day-to-day file manipulation. In addition
to the coreutils source package, you need the coreutils patchset for this:
http://acl.bestbits.at/current/diff/coreutils-5.0-0.tar.gz
4. Compile
------------------------------------------------------------------------------
Now the fun really begins.
First, apply the necessary patches and compile a kernel with ACL support
(CONFIG_FS_POSIX_ACL=y). This can be found under "Filesystems" when
using "make menuconfig." For XFS, you may also need to enable certain
suboptions of XFS support, found in the same menu screen.
Once you've got the kernel compiled and installed, it may be necessary to copy
your new kernel headers to /usr/include/{linux,asm,asm-generic} all over again
(I hear FHS zealots wailing already).
For the next bit, compile the attr-2.4.12 libraries:
# set CFLAGS...
./configure --prefix=/usr --enable-shared --enable-static &&
make OPTIMIZER="" DEBUG="-DNDEBUG" &&
make install install-lib install-dev &&
mv /usr/libexec/libattr.*a /lib &&
rm -f /usr/libexec/libattr.* /lib/libattr.so &&
ln -s ../../lib/libattr.so.1.1.0 /usr/lib/libattr.so
Now compile the acl-2.2.21 libraries:
# set CFLAGS...
./configure --prefix=/usr --enable-shared --enable-static &&
make OPTIMIZER="" DEBUG="-DNDEBUG" &&
make install install-lib install-dev &&
mv /usr/libexec/libacl.*a /lib &&
rm -f /usr/libexec/libacl.*a /lib/libacl.so &&
ln -s ../../lib/libacl.so.1.1.0 /usr/lib/libacl.so
At this point, you should immediately be able to examine ACL's on an XFS
filesystem using getfacl and setfacl.
In order to enable ACLs on ext2/ext3, you will need to configure certain mount
options. The "user_xattr" option enables user-accessible extended attributes;
the "acl" option enables ACL support. You can either specify these options at
every mount (possibly via /etc/fstab) or make these options enabled-by-default
on a specific ext2/ext3 filesystem via tune2fs:
tune2fs -o user_xattr /dev/
tune2fs -o acl /dev/
Now you need to patch coreutils. This is a bit complicated, as the coreutils
patchset from acl.bestbits.at is a disorganized mess. I will assume you have
untarred the patchset in /usr/src:
# set CFLAGS...
patch -p1 < /usr/src/coreutils-5.0-0/coreutils-acl.diff &&
patch -p1 < /usr/src/coreutils-5.0-0/coreutils-acl+posix.diff &&
patch -p1 < /usr/src/coreutils-5.0-0/coreutils-xattr.diff &&
patch -p1 < /usr/src/coreutils-5.0-0/coreutils-i18n.patch &&
patch < /usr/src/coreutils-5.0-0/coreutils-5.0.dif &&
patch < /usr/src/coreutils-5.0-0/coreutils-tests.patch
Now you should compile coreutils according to the instructions in your favorite
version of the LFS book.
At some point, you may wish to compile samba with ACL support. This is a
simple matter of passing the "--with-acl-support" flag to samba's configure
script.
5. Aftermath
------------------------------------------------------------------------------
You should now be able to view and modify ACLs on an ACL-ready filesystem, by
way of the setfacl and getfacl utilities from the acl package. coreutils will
not view or modify ACLs directly but will preserve them when moving, copying,
or creating files.
A properly compiled samba should be able to support ACLs over the network.
While samba servers aren't in the habit of providing even complete UNIX-style
permissions to UNIX/Linux clients, an ACL-enabled samba server is better
equipped to support Windows clients.
------------------------------------------------------------------------------
CHANGELOG:
[2003-12-08]
* Updated with ext2/ext3 instructions (thanks to Daniel Thaler).
* Updated to support new SysV-free XFS 1.3.1 release.
* Updated to include newer versions of acl and attr.
[2003-09-06]
* Updated to support coreutils, linux-2.4.21, and recent new XFS 1.3 release.
* Rewrote to accommodate new hints format.